How to recover password to any WiFi network

Testing security of wireless network, protected with WPA/WPA2 encryption is based on using its ESSID name and data packet known as “handshake”. We will describe easiest, and very effective way of catching the “handshake” using free Linux distribution – Kali Linux.

After booting your computer from Kali Linux memory stick we must open the console window. As default Kali Linux is started with Graphic User Interface, and you can find the console in top left screen corner. Just click the icon called „Terminal”.

In the console window type iwconfig command (confirm with Enter) it will list all available wireless interfaces installed on computer.

Our Kali Linux found wlan0.

Next we have to make sure our interface is up and running. Just type ifconfig wlan0 up

Now it is time to check what WiFi networks are available in our wireless interface range. To do this we use following command: iwlist wlan0 scanning

In this example we can see that there is network called TTC2. We should write down its Access Point MAC address (in our case it is: 00:19:19:FE:9E:32), and channel on which it is transmitting. (channel 6 on the attached picture).

PLEASE NOTE! It is possible that wireless network is using hidden ESSID name. If you want to see it you have to send deauthentication packet. We will get back to it further in this tutorial.

In order to be able to see and catch packets exchanged between AP and connected devices we must put our wireless card in monitor mode. To do this we must check if our card is correctly seen in Linux system. Execute command airmon-ng

If everything is OK and you can see your interface wlan0 listed, start the program again with command airmon-ng start wlan0
Now just check if monitor interface is correctly started. Type ifconfig. You should see interface called mon0.

Final step for catching the “handshake” packet require us to start another console windows (click “Terminal” icon). We will run airodump-ng in it. It will listen for known user exchanging „handshake” packet with Access Point.

In order to do so we must enter another command in our newly started console window: program name airodump-ng interface name mon0 AP MAC address –bssid 00:19:19:FE:9E:32 transmission channel –channel 6 and name of file in which „handshake” will be saved –write OurWiFi

Take note that every command parameter is introduced by double –.
Program is started and is waiting for known device authentication. After someone connects to network you will see in window top right corner that „handshake” is captured, it will show: WPA handshake: 00:19:19:FE:9E:32PLEASE NOTE! If you do not want to wait for a device to connect to the network you can force reauthentication. To see how to do it, check further part of this tutorial.

File with saved “handshake” packet can be found in Root directory. You can access it by double clicking “Computer” icon on Kali Linux desktop, choose “File System” from left menu, and open the “Root” directory. Our “handshake” file is named OurWiFi-01.cap. Now you can upload that file to our website for security testing (password cracking attempt) or you can copy it on USB memory stick to be able to upload it in the future. Probable you will have to use another pendrive, because usually bootable Kali Linux memory stick is write protected.

If you do not want to wait for device connect to Access Point you can send deauthentication packet that will force existing network user to resent “handshake”. Following instructions must be sent after finishing point 7 of main part of this tutorial. Airodump-ng must be active in other console window.

For forced deauthentication we will use program called aireplay-ng. Commend looks like this: program name aireplay-ng how many packets you want to send -0 10 with what interface mon0 what is the network AP address –a 00:19:19:FE:9E:32 MAC of device that should be a target of forced dauthentication –c 60:67:20:88:19:CC

If you want us to test security of your network we must know ESSID name and the “handshake” packet. Usually ESSID is shown immediately after starting iwlist wlan0 scanning but sometimes it is not.

To check the wireless network name you should follow instructions for forced deauthentication, but usually only one time packet is necessary. Remember to open airodump-ng in second window. It is best to use this instructions after completing point 7 from main part of this tutorial.

Post in Same Category

Our mission is to provide highest standard cryptographic services at an affordable price. To be able to do it we have built state of the art computing cluster and reliable and fast software to be available to anyone. We also fine tuned dictionaries to be one of the best wordlists in the world. Our next target is growth. We will continuously develop to keep up with the requirements of our clients.